By Camico Loss PreventionThis article is provided as a member benefit by CAMICO, the OSCPA preferred provider of professional liability and employment practices liability insurance.
CAMICO's cyber-related claims experience reveals that hacker attacks on CPA firm email systems were the most frequent cause of cyber-losses for firms. These cyber-attacks accounted for almost two-thirds of cyber-related claims.
Many claims are also related to tax return preparation. A trend appears to involve waiting until just before a tax return deadline (e.g., late March and early April) to launch an attack that encrypts all of the firm's tax files. A demand is then made for ransom in exchange for access to the files. Ransom demands have ranged from about $1,000 to $20,000.
E-filing identity theft and Social Security Numbers being used by fraudsters also continues to pose problems for clients and firms. Hackers trick firms into changing bank account information for the direct deposit of tax refunds into the fraudsters' accounts. A common technique is to use an email address that is one character off from the client’s email address—just close enough for recipients to think the email is legitimate.
Cyber-criminals who access firm email accounts often manipulate incoming and outgoing messages. These messages are designed to trick recipients into clicking on links, pop-ups, or attachments (phishing scams) to compromise accounts or trigger malware.
Once a fraudulent link or attachment is clicked, hackers can install malware and access other email accounts and internal computer networks. Hackers will spend time studying email messages and computer systems in preparation for ransomware attacks, which encrypt files and data, rendering them inaccessible. The hacker then demands a ransom in exchange for the release of the files.
Loss Prevention Tips
- Be sure to use software with updated security options to defend against malware, viruses, and phishing and hacker attacks. Create and enforce a policy to regularly update and patch all software.
- Never click a link, pop-up or attachment without first hovering your cursor over the link to display the URL. If it’s not a URL you recognize, or if it’s abbreviated or tweaked in any way, don’t click it.
- Use your professional skepticism to avoid becoming lulled into a sense of comfort regarding email and other communications from clients and third parties. Any requests for money or tax refunds to be transferred or deposited into a bank account unfamiliar to you is often a red flag, especially if the new account is in another country.
- Obtain a verbal confirmation if you receive an email from a client requesting changes to their tax refund destination or their wire transfer. Do not rely on email replies. Voicemail that is converted into email can make email unreliable.
- Educate all employees about good cyber-hygiene and how to avoid phishing attempts that target them with social engineering techniques designed to install malware or to deceive and elicit confidential information.
- Back up all important data and information frequently to reduce the likelihood that critical data is lost in the event of a cyber-attack or physical incident such as a fire or flood. Protect the backups in a remote or external location where they are safe from ransomware that seeks out backup copies. Periodically, verify whether backups are working.
- Add another layer of security with multi-factor authentication. Usernames and passwords alone are often insufficient for preventing account takeovers. Adding and combining factors provides greater protection.
- Avoid public wi-fi or hotspots when inputting or working with personally identifiable information (PII). Cyber-criminals can easily see individuals’ information on public wi-fi. Wait until you’re on a trusted network.
- Install a secure client web portal that will archive and store your clients’ personal documents and data. A portal will lower your staff’s administrative burden, ease the burden of locating important electronic documents, and eliminate the need to hunt for those documents within extended email threads.